Update net/third_party/nss to NSS 3.15.4.

net/third_party/nss/patches/channelid.patch

 diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c     2013-07-31 12:45:11.497944276 -0700
-+++ b/nss/lib/ssl/ssl3con.c     2013-07-31 12:51:32.663550380 -0700
+--- a/nss/lib/ssl/ssl3con.c     2014-01-03 19:36:09.938766379 -0800
++++ b/nss/lib/ssl/ssl3con.c     2014-01-03 19:37:50.360408300 -0800
 @@ -55,6 +55,7 @@ static SECStatus ssl3_SendCertificateSta
  static SECStatus ssl3_SendEmptyCertificate(  sslSocket *ss);
  static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
  static SECStatus ssl3_SendNextProto(         sslSocket *ss);
 +static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss);
  static SECStatus ssl3_SendFinished(          sslSocket *ss, PRInt32 flags);
  static SECStatus ssl3_SendServerHello(       sslSocket *ss);
  static SECStatus ssl3_SendServerHelloDone(   sslSocket *ss);
-@@ -5891,6 +5892,15 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+@@ -6198,6 +6199,15 @@ ssl3_HandleServerHello(sslSocket *ss, SS
      }
  #endif  /* NSS_PLATFORM_CLIENT_AUTH */
  
 +    if (ss->ssl3.channelID != NULL) {
 +       SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
 +       ss->ssl3.channelID = NULL;
 +    }
 +    if (ss->ssl3.channelIDPub != NULL) {
 +       SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
 +       ss->ssl3.channelIDPub = NULL;
 +    }
 +
      temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
      if (temp < 0) {
         goto loser;     /* alert has been sent */
-@@ -6170,7 +6180,7 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+@@ -6480,7 +6490,7 @@ ssl3_HandleServerHello(sslSocket *ss, SS
         if (rv != SECSuccess) {
             goto alert_loser;   /* err code was set */
         }
 -       return SECSuccess;
 +       goto winner;
      } while (0);
  
      if (sid_match)
-@@ -6196,6 +6206,27 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+@@ -6506,6 +6516,27 @@ ssl3_HandleServerHello(sslSocket *ss, SS
  
      ss->ssl3.hs.isResuming = PR_FALSE;
      ss->ssl3.hs.ws         = wait_server_cert;
 +
 +winner:
 +    /* If we will need a ChannelID key then we make the callback now. This
 +     * allows the handshake to be restarted cleanly if the callback returns
 +     * SECWouldBlock. */
 +    if (ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
 +       rv = ss->getChannelID(ss->getChannelIDArg, ss->fd,
 +                             &ss->ssl3.channelIDPub, &ss->ssl3.channelID);
 +       if (rv == SECWouldBlock) {
 +           ssl3_SetAlwaysBlock(ss);
 +           return rv;
 +       }
 +       if (rv != SECSuccess ||
 +           ss->ssl3.channelIDPub == NULL ||
 +           ss->ssl3.channelID == NULL) {
 +           PORT_SetError(SSL_ERROR_GET_CHANNEL_ID_FAILED);
 +           desc = internal_error;
 +           goto alert_loser;
 +       }
 +    }
 +
      return SECSuccess;
  
  alert_loser:
-@@ -6993,6 +7024,10 @@ ssl3_SendClientSecondRound(sslSocket *ss
+@@ -7467,7 +7498,14 @@ ssl3_SendClientSecondRound(sslSocket *ss
+        if (rv != SECSuccess) {
             goto loser; /* err code was set. */
         }
-     }
++    }
+ 
 +    rv = ssl3_SendEncryptedExtensions(ss);
 +    if (rv != SECSuccess) {
 +       goto loser; /* err code was set. */
 +    }
++
++    if (!ss->firstHsDone) {
+        if (ss->opt.enableFalseStart) {
+            if (!ss->ssl3.hs.authCertificatePending) {
+                /* When we fix bug 589047, we will need to know whether we are
+@@ -7504,6 +7542,33 @@ ssl3_SendClientSecondRound(sslSocket *ss
  
-     rv = ssl3_SendFinished(ss, 0);
-     if (rv != SECSuccess) {
-@@ -9947,6 +9982,165 @@ ssl3_RecordKeyLog(sslSocket *ss)
-     return;
+     ssl_ReleaseXmitBufLock(ss);                /*******************************/
+ 
++    if (!ss->ssl3.hs.isResuming &&
++        ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
++        /* If we are negotiating ChannelID on a full handshake then we record
++         * the handshake hashes in |sid| at this point. They will be needed in
++         * the event that we resume this session and use ChannelID on the
++         * resumption handshake. */
++        SSL3Hashes hashes;
++        SECItem *originalHandshakeHash =
++            &ss->sec.ci.sid->u.ssl3.originalHandshakeHash;
++        PORT_Assert(ss->sec.ci.sid->cached == never_cached);
++
++        ssl_GetSpecReadLock(ss);
++        PORT_Assert(ss->version > SSL_LIBRARY_VERSION_3_0);
++        rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0);
++        ssl_ReleaseSpecReadLock(ss);
++        if (rv != SECSuccess) {
++            return rv;
++        }
++
++        PORT_Assert(originalHandshakeHash->len == 0);
++        originalHandshakeHash->data = PORT_Alloc(hashes.len);
++        if (!originalHandshakeHash->data)
++            return SECFailure;
++        originalHandshakeHash->len = hashes.len;
++        memcpy(originalHandshakeHash->data, hashes.u.raw, hashes.len);
++    }
++
+     if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn))
+        ss->ssl3.hs.ws = wait_new_session_ticket;
+     else
+@@ -10469,6 +10534,184 @@ ssl3_RecordKeyLog(sslSocket *ss)
  }
  
-+/* called from ssl3_SendClientSecondRound
+ /* called from ssl3_SendClientSecondRound
 + *          ssl3_HandleFinished
 + */
 +static SECStatus
 +ssl3_SendEncryptedExtensions(sslSocket *ss)
 +{
 +    static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature";
++    static const char CHANNEL_ID_RESUMPTION_MAGIC[] = "Resumption";
 +    /* This is the ASN.1 prefix for a P-256 public key. Specifically it's:
 +     * SEQUENCE
 +     *   SEQUENCE
 +     *     OID id-ecPublicKey
 +     *     OID prime256v1
 +     *   BIT STRING, length 66, 0 trailing bits: 0x04
 +     *
 +     * The 0x04 in the BIT STRING is the prefix for an uncompressed, X9.62
 +     * public key. Following that are the two field elements as 32-byte,
 +     * big-endian numbers, as required by the Channel ID. */
 +    static const unsigned char P256_SPKI_PREFIX[] = {
 +       0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
 +       0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
 +       0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
 +       0x42, 0x00, 0x04
 +    };
 +    /* ChannelIDs are always 128 bytes long: 64 bytes of P-256 public key and 64
 +     * bytes of ECDSA signature. */
 +    static const int CHANNEL_ID_PUBLIC_KEY_LENGTH = 64;
 +    static const int CHANNEL_ID_LENGTH = 128;
 +
 +    SECStatus rv = SECFailure;
 +    SECItem *spki = NULL;
 +    SSL3Hashes hashes;
 +    const unsigned char *pub_bytes;
-+    unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) + sizeof(SSL3Hashes)];
++    unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) +
++                              sizeof(CHANNEL_ID_RESUMPTION_MAGIC) +
++                              sizeof(SSL3Hashes)*2];
++    size_t signed_data_len;
 +    unsigned char digest[SHA256_LENGTH];
 +    SECItem digest_item;
 +    unsigned char signature[64];
 +    SECItem signature_item;
 +
 +    PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
 +    PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 +
 +    if (ss->ssl3.channelID == NULL)
 +       return SECSuccess;
@@ skipping 29 matching lines @@
 +
 +    if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH ||
 +       memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX)) != 0) {
 +       PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
 +       rv = SECFailure;
 +       goto loser;
 +    }
 +
 +    pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX);
 +
-+    memcpy(signed_data, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC));
-+    memcpy(signed_data + sizeof(CHANNEL_ID_MAGIC), hashes.u.raw, hashes.len);
++    signed_data_len = 0;
++    memcpy(signed_data + signed_data_len, CHANNEL_ID_MAGIC,
++           sizeof(CHANNEL_ID_MAGIC));
++    signed_data_len += sizeof(CHANNEL_ID_MAGIC);
++    if (ss->ssl3.hs.isResuming) {
++        SECItem *originalHandshakeHash =
++            &ss->sec.ci.sid->u.ssl3.originalHandshakeHash;
++        PORT_Assert(originalHandshakeHash->len > 0);
 +
-+    rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data,
-+                     sizeof(CHANNEL_ID_MAGIC) + hashes.len);
++        memcpy(signed_data + signed_data_len, CHANNEL_ID_RESUMPTION_MAGIC,
++               sizeof(CHANNEL_ID_RESUMPTION_MAGIC));
++        signed_data_len += sizeof(CHANNEL_ID_RESUMPTION_MAGIC);
++        memcpy(signed_data + signed_data_len, originalHandshakeHash->data,
++               originalHandshakeHash->len);
++        signed_data_len += originalHandshakeHash->len;
++    }
++    memcpy(signed_data + signed_data_len, hashes.u.raw, hashes.len);
++    signed_data_len += hashes.len;
++
++    rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, signed_data_len);
 +    if (rv != SECSuccess)
 +       goto loser;
 +
 +    digest_item.data = digest;
 +    digest_item.len = sizeof(digest);
 +
 +    signature_item.data = signature;
 +    signature_item.len = sizeof(signature);
 +
 +    rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item);
@@ skipping 52 matching lines @@
 +    if (ss->ssl3.channelIDPub)
 +       SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
 +
 +    ss->handshake = ssl_GatherRecord1stHandshake;
 +    ss->ssl3.channelID = channelID;
 +    ss->ssl3.channelIDPub = channelIDPub;
 +
 +    return SECSuccess;
 +}
 +
- /* called from ssl3_HandleServerHelloDone
++/* called from ssl3_SendClientSecondRound
   *             ssl3_HandleClientHello
   *             ssl3_HandleFinished
-@@ -10202,11 +10396,16 @@ ssl3_HandleFinished(sslSocket *ss, SSL3O
+  */
+@@ -10728,11 +10971,16 @@ ssl3_HandleFinished(sslSocket *ss, SSL3O
             flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
         }
  
 -       if (!isServer && !ss->firstHsDone) {
 -           rv = ssl3_SendNextProto(ss);
 -           if (rv != SECSuccess) {
 -               goto xmit_loser; /* err code was set. */
 +       if (!isServer) {
 +           if (!ss->firstHsDone) {
 +               rv = ssl3_SendNextProto(ss);
 +               if (rv != SECSuccess) {
 +                   goto xmit_loser; /* err code was set. */
 +               }
             }
 +           rv = ssl3_SendEncryptedExtensions(ss);
 +           if (rv != SECSuccess)
 +               goto xmit_loser; /* err code was set. */
         }
  
         if (IS_DTLS(ss)) {
-@@ -11635,6 +11834,11 @@ ssl3_DestroySSL3Info(sslSocket *ss)
+@@ -12212,6 +12460,11 @@ ssl3_DestroySSL3Info(sslSocket *ss)
         ssl_FreePlatformKey(ss->ssl3.platformClientKey);
  #endif /* NSS_PLATFORM_CLIENT_AUTH */
  
 +    if (ss->ssl3.channelID)
 +       SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
 +    if (ss->ssl3.channelIDPub)
 +       SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
 +
      if (ss->ssl3.peerCertArena != NULL)
         ssl3_CleanupPeerCerts(ss);
  
 diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
---- a/nss/lib/ssl/ssl3ext.c     2013-07-31 12:40:14.493586151 -0700
-+++ b/nss/lib/ssl/ssl3ext.c     2013-07-31 12:45:50.338515793 -0700
+--- a/nss/lib/ssl/ssl3ext.c     2014-01-03 19:31:09.783859095 -0800
++++ b/nss/lib/ssl/ssl3ext.c     2014-01-03 19:36:25.379018825 -0800
 @@ -60,6 +60,10 @@ static PRInt32 ssl3_SendUseSRTPXtn(sslSo
      PRUint32 maxBytes);
  static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type,
      SECItem *data);
 +static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss,
 +    PRUint16 ex_type, SECItem *data);
 +static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append,
 +    PRUint32 maxBytes);
  static SECStatus ssl3_ServerSendStatusRequestXtn(sslSocket * ss,
      PRBool append, PRUint32 maxBytes);
  static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss,
 @@ -248,6 +252,7 @@ static const ssl3HelloExtensionHandler s
      { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
      { ssl_next_proto_nego_xtn,    &ssl3_ClientHandleNextProtoNegoXtn },
      { ssl_use_srtp_xtn,           &ssl3_HandleUseSRTPXtn },
 +    { ssl_channel_id_xtn,         &ssl3_ClientHandleChannelIDXtn },
      { ssl_cert_status_xtn,        &ssl3_ClientHandleStatusRequestXtn },
      { -1, NULL }
  };
 @@ -274,6 +279,7 @@ ssl3HelloExtensionSender clientHelloSend
      { ssl_session_ticket_xtn,     &ssl3_SendSessionTicketXtn },
      { ssl_next_proto_nego_xtn,    &ssl3_ClientSendNextProtoNegoXtn },
      { ssl_use_srtp_xtn,           &ssl3_SendUseSRTPXtn },
 +    { ssl_channel_id_xtn,         &ssl3_ClientSendChannelIDXtn },
      { ssl_cert_status_xtn,        &ssl3_ClientSendStatusRequestXtn },
      { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }
      /* any extra entries will appear as { 0, NULL }    */
-@@ -660,6 +666,52 @@ ssl3_ClientSendNextProtoNegoXtn(sslSocke
+@@ -669,6 +675,61 @@ ssl3_ClientSendNextProtoNegoXtn(sslSocke
      }
  
      return extension_length;
 +
 +loser:
 +    return -1;
 +}
 +
 +static SECStatus
 +ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type,
@@ skipping 16 matching lines @@
 +    PRInt32 extension_length = 4;
 +
 +    if (!ss->getChannelID)
 +       return 0;
 +
 +    if (maxBytes < extension_length) {
 +       PORT_Assert(0);
 +       return 0;
 +    }
 +
++    if (ss->sec.ci.sid->cached != never_cached &&
++        ss->sec.ci.sid->u.ssl3.originalHandshakeHash.len == 0) {
++        /* We can't do ChannelID on a connection if we're resuming and didn't
++         * do ChannelID on the original connection: without ChannelID on the
++         * original connection we didn't record the handshake hashes needed for
++         * the signature. */
++       return 0;
++    }
++
 +    if (append) {
 +       SECStatus rv;
 +       rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2);
 +       if (rv != SECSuccess)
 +           goto loser;
 +       rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
 +       if (rv != SECSuccess)
 +           goto loser;
 +       ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
 +               ssl_channel_id_xtn;
 +    }
 +
 +    return extension_length;
  
  loser:
      return -1;
 diff -pu a/nss/lib/ssl/ssl3prot.h b/nss/lib/ssl/ssl3prot.h
---- a/nss/lib/ssl/ssl3prot.h    2013-07-31 12:07:10.974699609 -0700
-+++ b/nss/lib/ssl/ssl3prot.h    2013-07-31 12:45:50.338515793 -0700
+--- a/nss/lib/ssl/ssl3prot.h    2014-01-03 19:28:03.550814608 -0800
++++ b/nss/lib/ssl/ssl3prot.h    2014-01-03 19:36:25.379018825 -0800
 @@ -129,7 +129,8 @@ typedef enum {
      client_key_exchange        = 16, 
      finished           = 20,
      certificate_status  = 22,
 -    next_proto         = 67
 +    next_proto         = 67,
 +    encrypted_extensions= 203
  } SSL3HandshakeType;
  
  typedef struct {
 diff -pu a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c
---- a/nss/lib/ssl/sslauth.c     2013-07-31 12:40:14.503586299 -0700
-+++ b/nss/lib/ssl/sslauth.c     2013-07-31 12:45:50.338515793 -0700
-@@ -219,6 +219,24 @@ SSL_GetClientAuthDataHook(PRFileDesc *s,
+--- a/nss/lib/ssl/sslauth.c     2014-01-03 19:31:09.783859095 -0800
++++ b/nss/lib/ssl/sslauth.c     2014-01-03 19:36:25.379018825 -0800
+@@ -216,6 +216,24 @@ SSL_GetClientAuthDataHook(PRFileDesc *s,
      return SECSuccess;
  }
  
 +SECStatus
 +SSL_SetClientChannelIDCallback(PRFileDesc *fd,
 +                              SSLClientChannelIDCallback callback,
 +                              void *arg) {
 +    sslSocket *ss = ssl_FindSocket(fd);
 +
 +    if (!ss) {
 +       SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetClientChannelIDCallback",
 +                SSL_GETPID(), fd));
 +       return SECFailure;
 +    }
 +
 +    ss->getChannelID = callback;
 +    ss->getChannelIDArg = arg;
 +
 +    return SECSuccess;
 +}
 +
  #ifdef NSS_PLATFORM_CLIENT_AUTH
  /* NEED LOCKS IN HERE.  */
  SECStatus 
 diff -pu a/nss/lib/ssl/sslerr.h b/nss/lib/ssl/sslerr.h
---- a/nss/lib/ssl/sslerr.h      2013-07-31 12:07:10.974699609 -0700
-+++ b/nss/lib/ssl/sslerr.h      2013-07-31 12:45:50.338515793 -0700
+--- a/nss/lib/ssl/sslerr.h      2014-01-03 19:28:03.550814608 -0800
++++ b/nss/lib/ssl/sslerr.h      2014-01-03 19:36:25.379018825 -0800
 @@ -193,6 +193,10 @@ SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM = (
  SSL_ERROR_DIGEST_FAILURE = (SSL_ERROR_BASE + 127),
  SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM = (SSL_ERROR_BASE + 128),
  
 +SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 129),
 +SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 130),
 +SSL_ERROR_GET_CHANNEL_ID_FAILED = (SSL_ERROR_BASE + 131),
 +
  SSL_ERROR_END_OF_LIST  /* let the c compiler determine the value of this. */
  } SSLErrorCodes;
  #endif /* NO_SECURITY_ERROR_ENUM */
 diff -pu a/nss/lib/ssl/SSLerrs.h b/nss/lib/ssl/SSLerrs.h
---- a/nss/lib/ssl/SSLerrs.h     2013-07-31 12:07:10.964699464 -0700
-+++ b/nss/lib/ssl/SSLerrs.h     2013-07-31 12:45:50.338515793 -0700
+--- a/nss/lib/ssl/SSLerrs.h     2014-01-03 19:28:03.540814444 -0800
++++ b/nss/lib/ssl/SSLerrs.h     2014-01-03 19:36:25.379018825 -0800
 @@ -412,3 +412,12 @@ ER3(SSL_ERROR_DIGEST_FAILURE, (SSL_ERROR
  
  ER3(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM, (SSL_ERROR_BASE + 128),
  "Incorrect signature algorithm specified in a digitally-signed element.")
 +
 +ER3(SSL_ERROR_BAD_CHANNEL_ID_DATA, (SSL_ERROR_BASE + 129),
 +"SSL received a malformed TLS Channel ID extension.")
 +
 +ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (SSL_ERROR_BASE + 130),
 +"The application provided an invalid TLS Channel ID key.")
 +
 +ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 131),
 +"The application could not get a TLS Channel ID.")
 diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
---- a/nss/lib/ssl/ssl.h 2013-07-31 12:45:11.497944276 -0700
-+++ b/nss/lib/ssl/ssl.h 2013-07-31 12:45:50.338515793 -0700
-@@ -958,6 +958,34 @@ SSL_IMPORT SECStatus SSL_HandshakeNegoti
+--- a/nss/lib/ssl/ssl.h 2014-01-03 19:36:09.938766379 -0800
++++ b/nss/lib/ssl/ssl.h 2014-01-03 19:36:25.379018825 -0800
+@@ -985,6 +985,34 @@ SSL_IMPORT SECStatus SSL_HandshakeNegoti
  SSL_IMPORT SECStatus SSL_HandshakeResumedSession(PRFileDesc *fd,
                                                   PRBool *last_handshake_resumed);
  
 +/* See SSL_SetClientChannelIDCallback for usage. If the callback returns
 + * SECWouldBlock then SSL_RestartHandshakeAfterChannelIDReq should be called in
 + * the future to restart the handshake.  On SECSuccess, the callback must have
 + * written a P-256, EC key pair to |*out_public_key| and |*out_private_key|. */
 +typedef SECStatus (PR_CALLBACK *SSLClientChannelIDCallback)(
 +    void *arg,
 +    PRFileDesc *fd,
@@ skipping 15 matching lines @@
 + * extension to be advertised. */
 +SSL_IMPORT SECStatus SSL_SetClientChannelIDCallback(
 +    PRFileDesc *fd,
 +    SSLClientChannelIDCallback callback,
 +    void *arg);
 +
  /*
  ** How long should we wait before retransmitting the next flight of
  ** the DTLS handshake? Returns SECFailure if not DTLS or not in a
 diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
---- a/nss/lib/ssl/sslimpl.h     2013-07-31 12:45:11.497944276 -0700
-+++ b/nss/lib/ssl/sslimpl.h     2013-07-31 12:45:50.338515793 -0700
-@@ -921,6 +921,9 @@ struct ssl3StateStr {
+--- a/nss/lib/ssl/sslimpl.h     2014-01-03 19:36:09.938766379 -0800
++++ b/nss/lib/ssl/sslimpl.h     2014-01-03 19:36:25.379018825 -0800
+@@ -700,6 +700,14 @@ struct sslSessionIDStr {
+ 
+            SECItem           srvName;
+ 
++            /* originalHandshakeHash contains the hash of the original, full
++             * handshake prior to the server's final flow. This is either a
++             * SHA-1/MD5 combination (for TLS < 1.2) or the TLS PRF hash (for
++             * TLS 1.2). This is recorded and used only when ChannelID is
++             * negotiated as it's used to bind the ChannelID signature on the
++             * resumption handshake to the original handshake. */
++           SECItem           originalHandshakeHash;
++
+            /* This lock is lazily initialized by CacheSID when a sid is first
+             * cached. Before then, there is no need to lock anything because
+             * the sid isn't being shared by anything.
+@@ -969,6 +977,9 @@ struct ssl3StateStr {
      CERTCertificateList *clientCertChain;    /* used by client */
      PRBool               sendEmptyCert;      /* used by client */
  
 +    SECKEYPrivateKey    *channelID;          /* used by client */
 +    SECKEYPublicKey     *channelIDPub;       /* used by client */
 +
      int                  policy;
                         /* This says what cipher suites we can do, and should 
                          * be either SSL_ALLOWED or SSL_RESTRICTED 
-@@ -1192,6 +1195,8 @@ const unsigned char *  preferredCipher;
+@@ -1246,6 +1257,8 @@ const unsigned char *  preferredCipher;
      void                     *pkcs11PinArg;
      SSLNextProtoCallback      nextProtoCallback;
      void                     *nextProtoArg;
 +    SSLClientChannelIDCallback getChannelID;
 +    void                     *getChannelIDArg;
  
      PRIntervalTime            rTimeout; /* timeout for NSPR I/O */
      PRIntervalTime            wTimeout; /* timeout for NSPR I/O */
-@@ -1524,6 +1529,11 @@ extern SECStatus ssl3_RestartHandshakeAf
+@@ -1590,6 +1603,11 @@ extern SECStatus ssl3_RestartHandshakeAf
                                              SECKEYPrivateKey *   key,
                                              CERTCertificateList *certChain);
  
 +extern SECStatus ssl3_RestartHandshakeAfterChannelIDReq(
 +    sslSocket *ss,
 +    SECKEYPublicKey *channelIDPub,
 +    SECKEYPrivateKey *channelID);
 +
  extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error);
  
  /*
+diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c
+--- a/nss/lib/ssl/sslnonce.c    2014-01-03 19:30:40.073373382 -0800
++++ b/nss/lib/ssl/sslnonce.c    2014-01-03 19:36:25.379018825 -0800
+@@ -182,6 +182,9 @@ ssl_DestroySID(sslSessionID *sid)
+         if (sid->u.ssl3.srvName.data) {
+             SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
+         }
++        if (sid->u.ssl3.originalHandshakeHash.data) {
++            SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE);
++        }
+ 
+         if (sid->u.ssl3.lock) {
+             PR_DestroyRWLock(sid->u.ssl3.lock);
 diff -pu a/nss/lib/ssl/sslsecur.c b/nss/lib/ssl/sslsecur.c
---- a/nss/lib/ssl/sslsecur.c    2013-07-31 12:45:11.497944276 -0700
-+++ b/nss/lib/ssl/sslsecur.c    2013-07-31 12:45:50.338515793 -0700
-@@ -1502,6 +1502,42 @@ SSL_RestartHandshakeAfterCertReq(PRFileD
+--- a/nss/lib/ssl/sslsecur.c    2014-01-03 19:36:09.938766379 -0800
++++ b/nss/lib/ssl/sslsecur.c    2014-01-03 19:36:25.379018825 -0800
+@@ -1584,6 +1584,42 @@ SSL_RestartHandshakeAfterCertReq(PRFileD
      return ret;
  }
  
 +SECStatus
 +SSL_RestartHandshakeAfterChannelIDReq(PRFileDesc *      fd,
 +                                     SECKEYPublicKey * channelIDPub,
 +                                     SECKEYPrivateKey *channelID)
 +{
 +    sslSocket *   ss = ssl_FindSocket(fd);
 +    SECStatus     ret;
@@ skipping 23 matching lines @@
 +loser:
 +    SECKEY_DestroyPublicKey(channelIDPub);
 +    SECKEY_DestroyPrivateKey(channelID);
 +    return SECFailure;
 +}
 +
  /* DO NOT USE. This function was exported in ssl.def with the wrong signature;
   * this implementation exists to maintain link-time compatibility.
   */
 diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
---- a/nss/lib/ssl/sslsock.c     2013-07-31 12:44:32.017363288 -0700
-+++ b/nss/lib/ssl/sslsock.c     2013-07-31 12:45:50.348515937 -0700
-@@ -354,6 +354,8 @@ ssl_DupSocket(sslSocket *os)
-            ss->handshakeCallback     = os->handshakeCallback;
-            ss->handshakeCallbackData = os->handshakeCallbackData;
+--- a/nss/lib/ssl/sslsock.c     2014-01-03 19:32:06.914793097 -0800
++++ b/nss/lib/ssl/sslsock.c     2014-01-03 19:36:25.379018825 -0800
+@@ -274,6 +274,8 @@ ssl_DupSocket(sslSocket *os)
+            ss->canFalseStartCallback = os->canFalseStartCallback;
+            ss->canFalseStartCallbackData = os->canFalseStartCallbackData;
             ss->pkcs11PinArg          = os->pkcs11PinArg;
 +           ss->getChannelID          = os->getChannelID;
 +           ss->getChannelIDArg       = os->getChannelIDArg;
      
             /* Create security data */
             rv = ssl_CopySecurityInfo(ss, os);
-@@ -1754,6 +1756,10 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
+@@ -1669,6 +1671,10 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
          ss->handshakeCallbackData = sm->handshakeCallbackData;
      if (sm->pkcs11PinArg)
          ss->pkcs11PinArg          = sm->pkcs11PinArg;
 +    if (sm->getChannelID)
 +        ss->getChannelID          = sm->getChannelID;
 +    if (sm->getChannelIDArg)
 +        ss->getChannelIDArg       = sm->getChannelIDArg;
      return fd;
  loser:
      return NULL;
-@@ -3027,6 +3033,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
+@@ -2946,6 +2952,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
         ss->badCertArg         = NULL;
         ss->pkcs11PinArg       = NULL;
         ss->ephemeralECDHKeyPair = NULL;
 +       ss->getChannelID       = NULL;
 +       ss->getChannelIDArg    = NULL;
  
         ssl_ChooseOps(ss);
         ssl2_InitSocketPolicy(ss);
 diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h
---- a/nss/lib/ssl/sslt.h        2013-07-31 12:07:10.974699609 -0700
-+++ b/nss/lib/ssl/sslt.h        2013-07-31 12:45:50.348515937 -0700
-@@ -184,9 +184,10 @@ typedef enum {
+--- a/nss/lib/ssl/sslt.h        2014-01-03 19:28:03.560814773 -0800
++++ b/nss/lib/ssl/sslt.h        2014-01-03 19:36:25.379018825 -0800
+@@ -189,9 +189,10 @@ typedef enum {
      ssl_use_srtp_xtn                 = 14,
      ssl_session_ticket_xtn           = 35,
      ssl_next_proto_nego_xtn          = 13172,
-+    ssl_channel_id_xtn               = 30031,
++    ssl_channel_id_xtn               = 30032,
      ssl_renegotiation_info_xtn       = 0xff01  /* experimental number */
  } SSLExtensionType;
  
 -#define SSL_MAX_EXTENSIONS             9
 +#define SSL_MAX_EXTENSIONS             10
  
  #endif /* __sslt_h_ */